COPPA and Children's Privacy: What Parents Should Know and Do

Aug 20, 2020 by BBB National Programs

As a parent, it can be difficult to keep up with all the ways your child uses technology. From board books to iPads, weekend cartoons to YouTube, even traditional schooling has had to adapt to online classes. Trying to stay on top of what your child is watching, what ads they are seeing, and what is happening with their data can be overwhelming, but understanding COPPA, the Children’s Online Privacy Protection Act, can help.  

COPPA was passed in 1998 with the goal of putting control over the online collection of children’s personal information into the hands of parents. This legislation regulates how online services like websites and mobile apps collect, use, and share personal information from children under 13. COPPA also gives the Federal Trade Commission (FTC) the power to enforce the law, usually by issuing fines to online services that are not compliant. 

 

What is personal information? 

 

COPPA helps protect a child’s personal information, which is the information that identifies that you are you.  

 

Some personal information is obvious. Other information is collected without you seeing it happen. 

  • First and last name 

  • Home or other physical address (street name and name of a city or town) 

  • Online contact information (such as an email address; anything that permits a child to be contacted online) 

  • Screen or username (when it functions as online contact information) 

  • Telephone number 

  • Social Security number 

 

  • Persistent identifier that can be used to recognize a user over time and across different websites or online services. Persistent identifiers include, but are not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier 

  • A photograph, video, or audio file containing a child's image or voice 

  • Geolocation information sufficient to identify street name and name of a city or town; (or precise location) 

  • Any information about the child or the parents of that child that the operator collects online from the child and combines with any other personal information as outlined above 

 

Child-Directed, Notice, and Verifiable Parental Consent 

 

COPPA protects a child’s personal information for “child-directed” content. “Child-directed” is a term that means an online service is targeted exclusively or in part to children. For example, a gaming website that only provides games made for young children could be child-directed, but so could a gaming website that provides games made for both young children and teens.  

On these websites, platforms, and in these child-directed apps, COPPA applies.  

By contrast, general audience online services are not targeted to children at all, even though some children may still visit the site. If a website or app seems to be general audience rather than child-directed, the service may not have COPPA protections in place for children’s personal information.  

For example, most social media services like Instagram, SnapChat, and Twitter don’t allow children under 13 to be on their service and state that in their Terms of Service. As a result of requiring that all users be over the age of 13, there are no extra privacy protections for children that these social media services are obligated to provide.  

So as a parent, if you want to assess the online service or app that your child is using, step one is to check out the Terms of Service to see whether children should be using the service at all.  

When the FTC reviews an app, website, or other online service to determine if it should be considered child-directed content or not, here are some of the factors that are being taken into consideration: 

  • Subject matter that is likely intended for children, such as youth arts and crafts or toys and games. 

  • Visual content, for example bright colors or cartoons. 

  • Use of animated characters or child-oriented activities/incentives, like coloring. 

  • Music or other audio content that appeals to children, like the ABC song. 

  • Age of models on the service or platform. If a website depicts only children using their product or playing their games, that may be a good indicator the website is targeted to children. 

  • Presence of child celebrities/celebrities that appeal to children, such as a character from a popular children’s TV show, like Elmo. 

  • Language and other characteristics of the online service, such as using simple words, shorter sentences, and large text to make it easily accessible to children. 

  • Advertising placement promoting the service. For example, if a gaming app places an ad during children’s daytime programming on TV, that app is targeting children.  

 

Content creators across platforms, whether creating content for an advertisement or a video for YouTube, should be taking the above criteria into consideration when creating their content and determining where it will be placed online.   

Once a platform, website, or other online service is identified as “child-directed,” COPPA requires that that service or platform take three steps: 

  1. Include a notice that describes how they collect, use, and disclose children’s personal information that they have collected through use of the service. This notice can typically be found in the online service’s privacy policy; some services even have a separate privacy policy that is dedicated to explaining how they handle children’s information.

  2. Online services also must provide a direct notice to the parent or guardian that explains the same information, which is usually sent via email when a child signs up for the service. The direct notice should be sent to you even if the service does not collect or use the child’s personal information.

  3. In addition to providing notice, an online service must get your consent via a verifiable method before they can collect, use, or share any of your child’s personal information. This is called verifiable parental consent, or VPC.  


How will online services ask for this? Some services directed to children only collect persistent identifiers (such as cookies) to use in their internal operations, such as serving contextual ads on their site or performing site analytics and maintenance. In that case, if they are not collecting other types of personal information or sharing it with third parties for external uses, the service may ask your child for your email address. Then, they send you an email with a confirmation link or similar way to “activate” your child’s account. The FTC refers to this as the “email plus” method of consent.  

Sometimes online services directed to children collect other personal information or share it with third parties for behavioral advertising and other uses. In those circumstances, they can obtain VPC by asking the parent to call a toll-free number, videoconference with staff, sign and return a consent form, or by entering a credit or debit card to confirm you really are the child’s parent/guardian. 

The purpose of VPC is so that parents can be informed of the privacy and data practices of the online services their child is using, as well as how you can contact the site to review their children’s data or have the data deleted. 

 

If You See Something, Say Something  

 

Now that you know more about COPPA, what can you do if you notice something fishy about a service your child is using? If there is anything about the advertising or privacy practices on a child-directed site that you think doesn’t follow COPPA, you can file a complaint with us at CARU here, or by emailing us at infocaru@bbbnp.org. The complaint goes directly to CARU staff who will investigate the complaint and take necessary steps to make sure the issue is rectified.  

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more